Recently, there have been a few blog posts discussing evidence found on a system when USB devices are connected and removed (Yogesh Khatri’s blog series and Nicole Ibrahim’s blog). I’ve been meaning to release this post for a while and Yogesh and Nicole’s posts have motivated me to do so. Much of the conversation regarding USB device activity on a Windows system often surrounds the registry, but the Windows 7 Event Log can provide a wealth of information in addition to the registry. Utilizing the Event Log during USB device investigations has been mentioned in various other locations, including chapter 5 of Harlan Carvey’s Windows Forensics Analysis 3/E (and recently in Yogesh Khatri’s blog). This post discusses both USB device connection and disconnection artifacts found in the Windows 7 Event Log, specifically the Microsoft-Windows-DriverFrameworks-UserMode/Operational log, and explores an interesting value that can be used to pair a device’s connection event with its associated disconnection event.
Connection Event IDs
When a USB removable storage device is connected to a Windows 7 system, a number of event records should be generated in the Microsoft-Windows-DriverFrameworks-UserMode/Operational event log. The records include those with Event ID 2003, 2004, 2005, 2010, 2100, 2105, and more. Some of the generated event records contain identifying information about the USB device that was connected. For example, when viewing an event record with Event ID 2003 using the Windows Event Viewer, the event information below is displayed.
Connection Event Record
A portion of the text formatting in the screenshot above above should look familiar to most, as it contains some of the same information about a USB device that can be found in the SYSTEM hive. Importantly, the device serial number (“000ECC0100087054”) is stored in last portion of the event record’s strings section. Combined with the record’s TimeGenerated field, an examiner can derive the date and time that a USB device was connected to the machine.
Disconnection Event IDs
When a USB thumb drive is disconnected from a Windows 7 system, a few event records should be generated in the same event log as the connection events. Records with Event ID 2100, 2102, and potentially more may be generated when a USB device is disconnected. Variables such as whether there is another USB removable storage device still connected to the system at the time a USB device is disconnected can dictate which event records are generated and which are not. Some records, however, appear to be more consistent. For example, it appears that an event record with Event ID 2100 and the text “Received a Pnp or Power operation (27, 23) for device <deviceInfo>” is consistently generated when a USB removable storage device is disconnected from a system. In addition, the same event record should contain the device’s serial number/Windows unique identifier that can be mapped to a device. An example of some of the information available from a disconnection event record with Event ID 2100 can be seen in the screenshot below.
Disconnection Event Record
LifetimeID Value
The LifetimeID value associated with a USB device’s connection session is an interesting piece of information. This GUID value is assigned to a UMDF (User Mode Driver Framework) host when a USB device is connected and should remain the same throughout the connection “lifetime” of the device. In other words, an examiner should be able to match the LifetimeID written to a device’s connection event records with the LifetimeID written to the device’s disconnection event records in order to tie a particular disconnection event with its associated connection event.
This is simple enough when a single USB device is used, however, when multiple USB devices are used at once, they appear to all use the same UMDF host and are all assigned the same LifetimeID. This means that a LifetimeID value cannot be tied to a single USB device, but it appears that it can be used to correlate device connections and disconnections on a per-session basis.
LifetimeID from Disconnection Event Record
Utilizing the LifetimeID associated with a device connection session can help in developing a timeline that, among other things, indicates the length of time a particular device was connected to the system. In addition, the LifetimeID is useful in pairing a device’s connection event with its corresponding disconnection event. Since there may not be the same number of connection and disconnection events (e.g. a device is removed after the system has been powered down so no disconnection events are generated), the LifetimeID can help to make sense of various connections and disconnections and correctly pair the two together for a particular device.
In addition to being used to determine the length of a USB device’s connection session via the Windows Event Log, the LifetimeID value may play an interesting and useful role in determining the time a USB device was last disconnected from the system, based on the LastWrite time of a registry subkey. I’ll forego this discussion for now since this post is focused on event records, but will revisit this topic later.
Automation
Automating the process of identifying connection and disconnection event records can really allow the power of utilizing the Windows Event Log in USB analysis to shine. While entirely possible, it would be a tedious process to manually analyze the Windows Event Log for USB connection/disconnection events. Microsoft Log Parser is a great tool for processing the Event Log in this manner. Given that event records associated with a device’s connection and disconnection will contain identifying information as well as a timestamp, it’s just a matter of isolating the event records associated with connection and disconnection and parsing portions of the strings section of the record. For example, the Log Parser query below returns all event records with Event ID 2003 (connect) or 2100 (disconnect) as long as the device serial number/Windows unique identifier (“1372995DDDCB6185180CDB&0” in this case) is contained in the Strings portion of the event record and, in the case of a disconnection event, the text “27|23” is also in the Strings portion.
logparser -i EVT -o datagrid “SELECT EventID, TimeGenerated FROM Microsoft-Windows-DriverFrameworks-UserMode-Operational.evtx WHERE (EventID=2003 AND STRINGS Like ‘%1372995DDDCB6185180CDB&0%’) OR (EventID=2100 AND STRINGS LIKE ‘%1372995DDDCB6185180CDB&0%27|23%’)”
Output of Log Parser query above
If you want to clean up the output and add a bit more information, you can use the Log Parser query below (replacing “1372995DDDCB6185180CDB&0” with the USB serial number/Windows unique identifier you’re interested in).
logparser -i EVT -o datagrid “SELECT CASE EventID WHEN 2003 THEN ‘Connect’ WHEN 2100 THEN ‘Disconnect’ END As Event, TimeGenerated as Time, ‘1372995DDDCB6185180CDB&0′ as DeviceIdentifier, EXTRACT_TOKEN(Strings,0,’|’) as LifetimeID FROM Microsoft-Windows-DriverFrameworks-UserMode-Operational.evtx WHERE (EventID=2003 AND STRINGS Like ‘%1372995DDDCB6185180CDB&0%’) OR (EventID=2100 AND STRINGS LIKE ‘%1372995DDDCB6185180CDB&0%27|23%’)”
Output of Log Parser query above
As you can see, Log Parser dramatically reduces the leg work involved in analyzing event records for USB connection and disconnection events. Moreover, Log Parser queries can easily be incorporated into a batch script that allows the examiner to input the device serial number he or she is interested in to quickly identify the connection and disconnection events associated with the device. The LifetimeID value can then be used match associated connection and disconnection events.
As with other event logs, event records in the Microsoft-Windows-DriverFrameworks-UserMode/Operational event log eventually roll over, leaving the examiner with a limit on how far back in time he or she can go. However, utilizing VSCs can allow an examiner to squeeze a bit more out of this approach and ultimately build a very telling history of USB device connection and disconnection events.
Yup it such great tip for windows 7 users. Thanks for sharing great post.
It doesn't seem to create the logs for all types of drives. I have two Lexar drives and one Sandisk drive, and it would only show up for the Lexar drives.
That's interesting – I'll have to take a look at this. Is the Sandisk a typical flash drive? Anything out of the ordinary with it?
Do you got a solution for the sandisk?
I have the same experience with a Sandisk – it shows up in as a Local Disk, not a removable.
Is this relevant to other USB devices such as Headsets/Microphones? Been plugging those in and out and don't see the events you are referring to in that Operation log…
I can't say for sure that the types of devices you mentioned won't be included in this log, but I doubt they're recorded in the same manner as USB removable storage devices. Do you see any events being generated for these devices?
I wonder if WinXP event logs do this too . . . . would help at work.
Hi, I'm trying this query on a Win7 machine :
logparser -i EVT -o datagrid "SELECT EventID, TimeGenerated FROM Microsoft-Windows-DriverFrameworks-UserMode-Operational.evtx"
But getting this error:
Error: Error retrieving files: Error opening file "C:TempMicrosoft-Windows-DriverFrameworks-UserMode-Operational.evtx": The system cannot find the file specified.
(Running from admin commandprompt).
Any thoughts ?
Try extracting or copying the event log from the System32winevtLogs directory into C:Temp (or wherever you're executing LogParser from) and rerunning the command. You'll also need to replace "Microsoft-Windows-DriverFrameworks-UserMode-Operational.evtx" with "Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx".
If you are testing against your own system then the command would be:
logparser -i EVT -o datagrid "SELECT EventID, TimeGenerated FROM Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx"
The above will basically dump the Event ID and TimeGenerated of every record in this event file. You will need to perform some selection criteria to turn the data into information. Adding the field "Strings" will help somewhat.
I get
Cannot open : Error opening event log "\?C:Program Files
(x86)Log Parser 2.2Microsoft-Windows-DriverFrameworks-UserMode%4Operation
al.evtx": The parameter is incorrect.
when i try to run the script. I have copied the log file into the logparser program folder and am running as admin. Any thoughts?
Yaniv,
I haven't been able to recreate your error so I can't say for sure what the issue is, but have you tried changing your file path parameter? You could try changing your working directory to the "Log Parser 2.2" directory and specifying the event log without the full path. You could also move the LogParser.dll, LogParser.exe, and your event log into another folder (outside of Program Files) to see if that makes a difference.
I'm looking for Microsoft -Windows-DriverFrameworks-UserMode/Operational log in a win 8.1 system, without success.
I think that this log only exists in a win 7 system.
it's correct?
do you know if this log has been changed or renamed in win 8?
Thanks
Luigi,
In my testing a few months back, this event log was disabled on Windows 8.1. If enabled, you should find it in its normal location. I have not conducted extensive testing to see if the event IDs and record details are the same between Windows 7 and 8.1.
There seems to be several typos in the document that make a big difference. When using the serial number, it seems you need to use a %before and after the serial number (ex: ~~WHERE (EventID=2003 AND STRINGS Like '%070134C10H655B32&0%') OR (EventID=2100 AND STRINGS LIKE '%070134C10H655B32&0%27|23%')".
Also the path was giving me issues when using copy/paste as the documentation above has some typos (needing to use %4 instead of a -)
TimeGenerated FROM Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx
As mentioned earlier, its best to move the dll and exe into a empty folder and then copy the log file (Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx) from c:windowsSystem32winevtLogs, you can rename it test.evtx to make your command lines shorter and easier to troubleshoot with.
Thanks for the comment. It looks like the wildcard wasn't in front of the serial in all places of the post so I've updated that. The file name wasn't necessarily meant to be copied and pasted; I was just identifying where the file name should go in the LogParser command. You might find the batch script I wrote to automate this process helpful as well – http://dfstream.blogspot.com/2014/02/usb-device-tracking-batch-script.html.
This doesn't work at all for external hard drives. No event is logged under Microsoft-Windows-DriverFrameworks-UserMode/Operational.
I have a 2TB external drive formatted using Ntfs. The only event I found that gets logged when I connected it is Event 98, and I may be lucky because that's an Ntfs event, the source is Microsoft-Windows-Ntfs.
The other bad part is that this event id doesn't have enough useful data. The only EventData is:
F:
DeviceHarddiskVolume22
0
I'm on Win 8.1 Pro x64 by the way
Yes, unfortunately external hard drives are not currently tracked in this event log (at least not the last time I checked). This was the case with Windows 7 as well.
Hi.Are these files relevent to the operation of thw windows operating system or mearly log files. If deleted. Wi they effect the operation of windowd
Hi,
How was the sandisk readable?
Amazing
Great blog post and really helpful and your blog are very interesting midnightinfo
Hi, my external disk was stolen last night. I would like to find out the time when my external hard disk was unplugged from my PC. I looked at the Windows events, however I cannot find anything useful. It seems that no events were registered when the thief disconneted the disk. I am on Windows 7 professional
I’d like a way to figure out what’s causing these random plug-n-play badonk sounds.
I know this post is old but, I improved the log parser query.
SELECT TimeGenerated AS Date, ComputerName,
CASE EventID WHEN 2003 THEN ‘Connect’ ELSE
‘Disconnect’
END AS Event,
extract_token(extract_token(Strings,1,’&’),1,’VEN_’) as Vendor,
extract_token(extract_token(Strings,2,’&’),1,’PROD_’) as Product,
extract_token(extract_token(extract_token(Strings,3,’&’),1,’REV_’),0,’#’) as Version,
extract_token(Strings,2,’#’) as Serial_#,
CASE strcnt(substr(extract_token(Strings,2,’#’),1,1), ‘&’) WHEN 1 THEN ‘No’ ELSE
‘Yes’
END AS Unique_Serial
FROM ‘[LOGFILEPATH]’
WHERE EventID=2003 OR (EventID=2100 AND Strings LIKE ‘%27|23%’)
ORDER BY Date DESC
Thanks for the recommendation.